Online Lending App Data Deletion and Privacy Rights

I. Introduction

Online lending apps have become common in the Philippines because they offer fast loans with minimal paperwork. A borrower may apply through a mobile app, submit personal information, upload identification documents, allow app permissions, and receive funds through a bank account, e-wallet, or other payment channel.

However, many borrowers later discover that some lending apps collect, use, or disclose personal data in abusive ways. Common complaints include harassment of contacts, public shaming, unauthorized access to phonebooks, threatening messages, repeated calls, disclosure of debt to family members or employers, retention of personal data after the loan is paid, and refusal to delete account information.

This article discusses the legal framework governing online lending app data deletion and privacy rights in the Philippines, including the rights of borrowers and data subjects, the obligations of lending companies, and the remedies available under Philippine law.

This is general legal information and not legal advice for a specific case.

II. The Nature of Online Lending Apps

Online lending apps usually operate through a digital platform that allows users to apply for loans remotely. The process often involves:

  1. Downloading the app.
  2. Creating an account.
  3. Providing a mobile number and email address.
  4. Uploading a valid ID.
  5. Taking a selfie or liveness check.
  6. Providing employment or income details.
  7. Linking an e-wallet or bank account.
  8. Granting app permissions.
  9. Agreeing to terms and conditions.
  10. Receiving a loan offer.
  11. Accepting the loan and repayment schedule.

Because the process is digital, personal data is central to the lending model. The lender uses personal information to verify identity, assess credit risk, disburse funds, collect payments, prevent fraud, and comply with legal obligations.

The problem arises when collection and processing go beyond what is legitimate, necessary, proportionate, transparent, and lawful.

III. Common Privacy Problems with Online Lending Apps

Borrowers commonly complain about the following practices:

A. Excessive Collection of Data

Some apps request access to information that may not be necessary for loan processing, such as:

  • full phone contacts;
  • call logs;
  • SMS messages;
  • photos and videos;
  • calendar entries;
  • social media accounts;
  • installed apps;
  • device files;
  • precise location history.

A lender may need certain information to identify the borrower and assess creditworthiness, but it should not collect excessive or irrelevant data.

B. Unauthorized Access to Contacts

Some apps request access to the borrower’s phonebook and later use those contacts for collection purposes. This is one of the most common privacy complaints.

The borrower may list one or two references, but the app may access the entire contact list. The lender or collector may then send messages to relatives, friends, co-workers, employers, or unrelated persons.

C. Disclosure of Debt to Third Parties

Some lenders inform other people that the borrower has an unpaid loan. This may include relatives, contacts, employers, or social media acquaintances.

Debt information is personal information. Disclosure to third parties without lawful basis may violate privacy rights and may also constitute unfair, abusive, or harassing collection conduct.

D. Public Shaming

Some collectors threaten to post the borrower’s name, photo, ID, alleged debt, or accusations online. Others create group chats or send messages branding the borrower as a scammer or criminal.

Such conduct may raise issues under privacy law, cybercrime law, civil law, criminal law, and financial consumer protection rules.

E. Threatening or Harassing Messages

Some collection agents use threats, insults, fake legal notices, false police claims, or intimidation. While a lender may lawfully collect a valid debt, collection must be done in a lawful and fair manner.

F. Retention of Data After Loan Payment

Borrowers often ask: “I already paid my loan. Can I demand deletion of my data?”

The answer depends on the type of data, purpose of processing, legal retention requirements, and whether the lender still has a lawful basis to retain the data. Payment of the loan does not automatically mean every record must immediately be deleted, but the lender cannot keep or use personal data indefinitely without lawful basis.

G. Refusal to Delete Account

Some apps make account deletion difficult or impossible. Others do not provide a privacy contact, data deletion option, or procedure for exercising privacy rights.

A personal information controller should provide a practical way for data subjects to exercise their rights.

IV. Main Philippine Laws and Regulatory Framework

Several Philippine laws and regulatory regimes may apply.

A. Data Privacy Act of 2012

Republic Act No. 10173, the Data Privacy Act of 2012, is the principal law protecting personal information in the Philippines.

It governs the processing of personal information by personal information controllers and personal information processors. Online lending companies generally process personal data and are subject to the Data Privacy Act when they determine the purpose and means of processing borrower data.

The law protects data subjects by requiring lawful, fair, and transparent processing. It also gives data subjects rights such as the right to be informed, right to access, right to object, right to erasure or blocking, right to damages, and other related rights.

B. Implementing Rules and Regulations of the Data Privacy Act

The implementing rules provide more detailed obligations for entities that process personal information, including requirements on consent, privacy notices, data subject rights, security measures, breach notification, accountability, and lawful processing.

C. National Privacy Commission Rules and Issuances

The National Privacy Commission is the government body responsible for administering and enforcing the Data Privacy Act. It handles privacy complaints, investigations, compliance matters, and data subject rights issues.

The NPC has addressed online lending app privacy issues, particularly abusive data collection and disclosure practices.

D. Lending Company Regulation Act

Republic Act No. 9474, the Lending Company Regulation Act, governs lending companies. Lending companies are generally regulated by the Securities and Exchange Commission.

Online lending companies must comply not only with privacy laws but also with lending regulations, registration requirements, disclosure obligations, and rules against abusive practices.

E. Financing Company Act

If the entity is a financing company rather than a lending company, financing company rules may apply.

F. SEC Rules on Lending and Financing Companies

The Securities and Exchange Commission regulates lending and financing companies and may act against abusive online lending practices. The SEC has issued rules, memoranda, and advisories concerning unfair debt collection practices, disclosure requirements, and online lending platforms.

G. Financial Products and Services Consumer Protection Act

Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, strengthens consumer protection in financial products and services. Depending on the entity and regulator involved, borrowers may have remedies for unfair, abusive, deceptive, or unconscionable acts or practices.

H. Cybercrime Prevention Act

Republic Act No. 10175, the Cybercrime Prevention Act, may be relevant where the lender or collector uses digital means to commit unlawful acts, such as identity theft, cyber harassment connected with other offenses, unlawful access, or cyber-related defamation.

I. Revised Penal Code and Civil Code

Certain conduct may also raise issues under the Revised Penal Code or Civil Code, including unjust vexation, grave threats, coercion, slander, libel, damages, abuse of rights, and invasion of privacy depending on the facts.

J. Consumer Protection and Collection Rules

Debt collection is allowed, but it must be lawful. Harassment, threats, false representations, disclosure to unrelated third parties, and humiliating tactics may expose the lender or collection agent to regulatory, civil, or criminal liability.

V. Important Privacy Concepts

A. Personal Information

Personal information refers to information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or which can identify an individual when combined with other information.

For online lending apps, this may include:

  • full name;
  • address;
  • mobile number;
  • email address;
  • birthdate;
  • employment details;
  • income details;
  • bank account or e-wallet information;
  • loan application details;
  • debt information;
  • repayment history;
  • device identifiers;
  • contact lists;
  • geolocation;
  • photographs;
  • ID documents;
  • account usernames.

B. Sensitive Personal Information

Sensitive personal information includes certain categories that require higher protection, such as information about age, marital status, health, education, government-issued identifiers, and other data specifically protected by law.

For online lending apps, sensitive personal information may include:

  • government ID numbers;
  • ID images;
  • financial account information;
  • authentication details;
  • biometric-style verification data;
  • information appearing in IDs or official documents.

C. Processing

Processing includes almost any operation performed on personal information, such as:

  • collection;
  • recording;
  • organization;
  • storage;
  • use;
  • retrieval;
  • disclosure;
  • transfer;
  • sharing;
  • blocking;
  • erasure;
  • destruction.

An online lending app processes personal data at almost every stage of the loan relationship.

D. Personal Information Controller

A personal information controller determines why and how personal data is processed. An online lending company is usually a personal information controller with respect to borrower data.

E. Personal Information Processor

A personal information processor processes personal data on behalf of a controller. Examples may include cloud service providers, collection agencies, verification providers, messaging vendors, analytics providers, or outsourced customer service providers.

A lender remains accountable for processors it engages.

F. Data Subject

The data subject is the individual whose personal information is processed. Borrowers, applicants, guarantors, references, and even phone contacts may be data subjects.

VI. Lawful Bases for Processing Borrower Data

A lending app cannot simply collect and use personal data because it wants to. Processing must have a lawful basis.

Common lawful bases include:

A. Consent

The borrower may consent to the processing of personal data. Consent must generally be informed, specific, and freely given.

However, consent is not a blank check. A borrower’s consent to loan processing does not automatically authorize excessive collection, harassment, public shaming, or disclosure to unrelated persons.

B. Contract

The lender may process data necessary to evaluate, approve, disburse, manage, and collect a loan under a contract.

For example, processing the borrower’s identity, loan amount, repayment schedule, and payment records may be necessary for the loan agreement.

C. Legal Obligation

The lender may need to retain certain records to comply with tax, accounting, anti-money laundering, corporate, regulatory, audit, and reporting requirements.

D. Legitimate Interest

A lender may process personal data for legitimate business purposes, such as fraud prevention, credit risk management, and lawful collection, provided the processing does not override the fundamental rights and freedoms of the data subject.

Legitimate interest must be balanced. It does not justify disproportionate, unfair, or intrusive processing.

E. Protection of Lawful Rights

A lender may retain and use certain information to establish, exercise, or defend legal claims.

For example, if there is an unpaid loan or dispute, the lender may retain records relevant to collection or litigation. But it must still use them lawfully.

VII. Principles of Data Privacy Applied to Online Lending Apps

Philippine privacy law is built around key principles.

A. Transparency

Borrowers must be informed about what data is collected, why it is collected, how it is used, who receives it, how long it is kept, and how they can exercise their rights.

A privacy notice should be clear and accessible. It should not hide important terms in vague or confusing language.

B. Legitimate Purpose

Data must be processed only for legitimate purposes. A lender may process data for loan application, verification, disbursement, collection, compliance, and fraud prevention.

It may not process data for harassment, public shaming, unauthorized disclosure, or unlawful pressure.

C. Proportionality

Only data that is adequate, relevant, suitable, necessary, and not excessive should be collected and processed.

This principle is crucial for online lending apps. Access to an entire contact list, photos, SMS, or unrelated files may be disproportionate if not necessary for the loan.

D. Data Minimization

A lending app should collect only the minimum information needed for legitimate purposes.

E. Purpose Limitation

Data collected for loan processing should not be used for incompatible purposes. For example, data collected for identity verification should not be used to shame the borrower online.

F. Security

The lender must protect personal data against unauthorized access, misuse, disclosure, alteration, loss, or destruction.

G. Accountability

The lender must be able to show compliance with privacy law. It should have privacy policies, data protection practices, records, safeguards, and procedures for handling requests and complaints.

VIII. Borrower’s Privacy Rights

A borrower is a data subject and has privacy rights under the Data Privacy Act.

A. Right to Be Informed

The borrower has the right to know when personal data is being collected and processed.

The lender should disclose:

  • identity of the lender or controller;
  • purpose of processing;
  • types of data collected;
  • recipients of data;
  • retention period;
  • data subject rights;
  • contact details of the data protection officer or privacy office;
  • consequences of refusing to provide data;
  • whether data will be shared with collectors, affiliates, credit bureaus, processors, or government agencies.

B. Right to Access

The borrower may request access to personal data processed by the lender. This may include confirmation of whether the lender holds personal data, the purposes of processing, categories of data, recipients, retention periods, and available rights.

C. Right to Object

The borrower may object to processing in certain cases, especially where processing is based on consent or legitimate interest.

However, objection may not always require deletion if the lender has another lawful basis to retain or process the data, such as legal obligation, contract enforcement, or legal claims.

D. Right to Rectification

The borrower may request correction of inaccurate or outdated personal data.

E. Right to Erasure or Blocking

The borrower may request deletion, removal, or blocking of personal data under appropriate circumstances.

This is central to online lending app data deletion requests.

F. Right to Damages

A data subject may claim damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information, where damage is suffered.

G. Right to Data Portability

Where applicable and technically feasible, a data subject may obtain a copy of electronically processed personal data in a commonly used format.

H. Right to File a Complaint

The borrower may file a complaint before the National Privacy Commission for privacy violations.

IX. The Right to Data Deletion or Erasure

The right to deletion is not absolute, but it is an important right. In Philippine privacy law, it is often discussed as the right to erasure or blocking.

A borrower may request deletion, removal, or blocking when personal data is:

  1. Incomplete, outdated, false, or unlawfully obtained.
  2. Used for unauthorized purposes.
  3. No longer necessary for the purpose for which it was collected.
  4. Withdrawn from consent-based processing.
  5. Processed unlawfully.
  6. Being used in a way that violates the rights of the data subject.
  7. Required to be deleted by law or order.

For online lending apps, data deletion may be appropriate where:

  • the loan application was not completed;
  • the loan was denied and data is no longer needed;
  • the loan has been fully paid and retention is no longer necessary;
  • the app collected excessive data;
  • the app accessed contacts without lawful basis;
  • the app used data for harassment;
  • the borrower withdraws consent for optional processing;
  • data was collected through deceptive or unfair means;
  • the app has no legal reason to keep the data.

X. Limits on the Right to Deletion

A lender may refuse immediate deletion of some data if it has a lawful reason to retain it.

Common reasons include:

A. Existing Loan Obligation

If the loan remains unpaid, the lender may retain data necessary to administer and collect the loan.

However, this does not allow abusive disclosure, harassment, or unnecessary retention of unrelated data.

B. Legal and Regulatory Compliance

Lenders may be required to keep certain records for tax, accounting, audit, anti-money laundering, corporate, regulatory, or reporting purposes.

C. Legal Claims

The lender may retain records necessary to establish, exercise, or defend legal claims.

For example, if there is a dispute about whether the borrower paid, the lender may retain loan documents, payment records, and communications.

D. Fraud Prevention

The lender may retain certain fraud-related records where necessary and proportionate.

E. Credit Reporting

Where lawful and properly disclosed, some data may be shared with authorized credit information systems or credit bureaus, subject to applicable rules.

F. Other Legal Obligations

A lender may be unable to delete data that it is legally required to retain.

But even where retention is lawful, the lender should restrict use, secure the data, and delete or anonymize it when retention is no longer justified.

XI. Deletion vs. Blocking vs. Retention

It is important to distinguish three concepts.

A. Deletion

Deletion means the data is removed or destroyed so it is no longer available for processing.

B. Blocking

Blocking means the data is retained but no longer actively used or disclosed, except for limited lawful purposes.

For example, a lender may block an account from marketing use but retain transaction records for legal compliance.

C. Retention

Retention means keeping data for a lawful purpose. Retention must still be limited, secure, and justified.

A borrower may not always get full deletion, but may be entitled to blocking, restriction, correction, or cessation of unlawful processing.

XII. What Data Can Usually Be Deleted After Loan Closure?

After full payment and account closure, the borrower may request deletion or blocking of data no longer necessary.

Potentially deletable data may include:

  • marketing preferences;
  • optional profile data;
  • unnecessary app permissions data;
  • contact list data;
  • photos or files not needed for legal compliance;
  • device permissions data;
  • excessive location data;
  • duplicate files;
  • data collected without valid consent;
  • data used for harassment;
  • app account data not needed for records retention.

However, the lender may retain:

  • loan agreement;
  • repayment records;
  • identity verification records;
  • transaction logs;
  • accounting records;
  • records required by regulators;
  • dispute records;
  • records needed for legal claims;
  • security logs for a limited period.

The key question is whether the specific data remains necessary for a lawful purpose.

XIII. What If the Loan Is Unpaid?

If the loan is unpaid, the borrower may still have privacy rights. An unpaid debt does not erase the borrower’s rights.

The lender may process data necessary for lawful collection, but it may not:

  • shame the borrower publicly;
  • contact unrelated persons;
  • disclose the debt to the entire phonebook;
  • threaten criminal prosecution falsely;
  • use abusive language;
  • use personal data for humiliation;
  • post the borrower’s photo or ID;
  • access data beyond what is necessary;
  • continue processing excessive data;
  • ignore data subject requests.

The borrower may request deletion or blocking of excessive or unlawfully collected data even if the debt remains unpaid.

For example, the lender may keep loan records but should not keep or use the borrower’s entire contact list if it was collected without lawful basis or is unnecessary.

XIV. Contacts and References

One of the most sensitive issues is access to contacts.

A. Listed References

A borrower may voluntarily provide specific references as part of a loan application. The lender may contact those references only for legitimate and disclosed purposes, and in a manner consistent with privacy and collection rules.

Even then, the lender should not disclose unnecessary details, shame the borrower, or harass the reference.

B. Entire Phonebook

Accessing or uploading the borrower’s entire contact list is highly problematic if it is not necessary and proportionate.

Even if the borrower clicked “allow contacts,” the validity of consent may be questioned if:

  • the app made access mandatory without justification;
  • the privacy notice was unclear;
  • the app collected more contacts than necessary;
  • contacts were used for harassment;
  • contacts were not informed;
  • the app used consent as a condition for unrelated processing.

C. Third-Party Contacts Are Also Data Subjects

People in the borrower’s contact list have their own privacy rights. They did not necessarily consent to the lending app collecting or using their names and numbers.

A lending app may be accountable not only to borrowers but also to third-party contacts whose data it collected or used.

XV. Debt Collection and Privacy

Debt collection is not illegal. A creditor may collect a lawful debt. But debt collection must comply with law.

Permissible collection may include:

  • reminders to the borrower;
  • formal demand letters;
  • lawful calls or messages;
  • settlement offers;
  • referral to authorized collection agencies;
  • reporting to lawful credit systems;
  • filing civil or criminal action where legally justified.

Improper collection may include:

  • contacting all phone contacts;
  • revealing the debt to relatives or employers without lawful basis;
  • threats of arrest for ordinary nonpayment;
  • insults or obscene messages;
  • fake subpoenas or fake court notices;
  • impersonation of police, lawyers, or government officials;
  • posting the borrower’s face or ID online;
  • creating group chats to shame the borrower;
  • repeated calls at unreasonable hours;
  • threatening physical harm;
  • using personal data for humiliation.

A borrower’s duty to pay does not give the lender a license to violate privacy rights.

XVI. App Permissions and Data Access

Borrowers should pay attention to app permissions.

Common app permissions include:

  • camera;
  • contacts;
  • location;
  • storage;
  • microphone;
  • SMS;
  • phone state;
  • notifications;
  • photos and videos.

Some permissions may be necessary for identity verification or app functionality. Others may be excessive.

For example:

  • Camera access may be needed to take a selfie or ID photo.
  • Location may be relevant for fraud prevention in limited cases.
  • Contacts access may be questionable if used broadly.
  • SMS access may be intrusive if it allows reading messages.
  • Storage access may be excessive if it allows scanning unrelated files.

A privacy-compliant app should explain why each permission is needed and collect only what is necessary.

XVII. Privacy Notice Requirements

An online lending app should have a clear privacy notice. It should ideally state:

  1. The name and contact details of the lender.
  2. The contact details of its data protection officer or privacy office.
  3. The categories of data collected.
  4. The purposes of processing.
  5. The lawful basis for processing.
  6. Whether data is shared with collection agencies, affiliates, credit bureaus, service providers, or regulators.
  7. The retention period.
  8. The borrower’s rights.
  9. How to request access, correction, deletion, blocking, or objection.
  10. Security measures.
  11. How to file complaints.
  12. Whether data is transferred outside the Philippines.
  13. How third-party references or contacts are handled.

A vague or hidden privacy notice may be legally insufficient.

XVIII. Consent in Online Lending Apps

Consent should be meaningful. It should not be obtained through deception, coercion, vague language, or bundled permissions unrelated to the loan.

Problems arise when apps:

  • force users to accept excessive permissions;
  • bury consent in long terms;
  • use pre-ticked boxes;
  • fail to explain data sharing;
  • collect contact lists without clear explanation;
  • make deletion impossible;
  • use consent for unrelated marketing or harassment;
  • treat permission access as consent for any use.

Consent must be limited to the purposes explained. It may also be withdrawn, subject to legitimate grounds for continued processing.

XIX. Withdrawal of Consent

A borrower may withdraw consent for processing based on consent. After withdrawal, the lender should stop processing that data unless another lawful basis applies.

For example:

  • The borrower may withdraw consent to marketing messages.
  • The borrower may withdraw consent to optional profiling.
  • The borrower may object to unnecessary contact-list processing.
  • The borrower may request deletion of data not needed for the loan.

However, withdrawal of consent does not cancel a valid loan obligation. The lender may still process data necessary to administer the loan, collect payment lawfully, comply with law, or defend legal claims.

XX. Account Deletion Requests

Borrowers often want to delete their account from the lending app. A proper request should include:

  • full name;
  • registered mobile number;
  • registered email;
  • loan account number, if any;
  • proof of identity;
  • statement that the borrower requests account deletion or data erasure;
  • statement whether the loan has been fully paid;
  • request for confirmation of deletion, blocking, or retention basis;
  • request for a copy of retained data categories and retention period;
  • request that contacts and excessive data be deleted or blocked.

The lender should respond within a reasonable period and explain what data was deleted, what data was retained, and the legal basis for retention.

XXI. Sample Data Deletion Request

A borrower may send a message in this form:

I am requesting the deletion, erasure, or blocking of my personal data processed by your company in connection with my online lending app account. My registered mobile number is [number], and my account or loan reference number is [number].

I request that you delete or block all personal data that is no longer necessary for the purpose for which it was collected, including any contact list data, optional profile data, excessive device data, and data collected without valid consent.

If you claim that certain data must be retained, please identify the specific data categories, the legal basis for retention, the retention period, and the safeguards applied.

I also request confirmation that my personal data will no longer be used for marketing, harassment, unauthorized disclosure, or contact with third parties not lawfully involved in my loan.

Please treat this as an exercise of my rights as a data subject under Philippine data privacy law.

The request should be sent through the lender’s official privacy email, customer support channel, in-app support, registered office, or other documented communication channel.

XXII. What If the App Ignores the Request?

If the lender ignores or refuses a valid request, the borrower may:

  1. Follow up in writing.
  2. Save proof of the request and non-response.
  3. Take screenshots of the app, privacy policy, and messages.
  4. File a complaint with the National Privacy Commission.
  5. File a complaint with the SEC if the lender is a lending or financing company engaged in abusive practices.
  6. Report harassment or threats to appropriate law enforcement agencies.
  7. Consider civil or criminal remedies depending on the facts.

It is important to document all communications.

XXIII. Filing a Complaint with the National Privacy Commission

A borrower may file a complaint with the NPC for privacy violations involving online lending apps.

Possible grounds include:

  • unauthorized collection of contacts;
  • disclosure of debt to third parties;
  • public shaming;
  • refusal to honor data subject rights;
  • excessive data collection;
  • unlawful processing;
  • security breach;
  • failure to provide privacy notice;
  • failure to delete or block data;
  • unauthorized sharing with collectors;
  • use of personal data for harassment.

The complaint should be supported by evidence.

XXIV. Evidence for a Privacy Complaint

The borrower should gather:

  • screenshots of app permissions requested;
  • screenshots of privacy policy or terms;
  • screenshots of account settings showing no deletion option;
  • copies of data deletion requests;
  • proof of sending the request;
  • responses or refusal from the lender;
  • screenshots of harassing messages;
  • call logs;
  • messages sent to contacts;
  • affidavits or statements from contacted third parties;
  • screenshots of public posts;
  • proof of loan payment;
  • loan agreement or disclosure statement;
  • name of app and company;
  • SEC registration details if available;
  • Google Play or App Store listing;
  • screenshots of collector names or numbers;
  • demand letters;
  • proof of damage or distress.

Evidence should be preserved in original form where possible.

XXV. Filing a Complaint with the SEC

If the online lender is a lending company, financing company, or online lending platform, the SEC may have regulatory authority.

Complaints may involve:

  • abusive debt collection;
  • unauthorized or misleading lending operations;
  • failure to disclose charges;
  • unfair collection practices;
  • use of threats or shaming;
  • operation without proper registration or authority;
  • violations of SEC rules for lending or financing companies.

A borrower may file with both the NPC and SEC when the facts involve both privacy violations and lending regulation issues.

XXVI. Reporting to App Stores and Platforms

Borrowers may also report the app to:

  • Google Play Store;
  • Apple App Store;
  • social media platforms;
  • messaging platforms;
  • web hosting providers;
  • payment channels;
  • e-wallet providers.

This may help stop further harm but does not replace legal complaints.

XXVII. Civil Remedies

A borrower may consider civil remedies if unlawful processing or abusive collection caused harm.

Possible claims may involve:

  • damages for violation of privacy rights;
  • moral damages;
  • exemplary damages;
  • attorney’s fees;
  • injunction;
  • deletion or cessation of unlawful processing;
  • liability for abuse of rights;
  • liability for defamation or humiliation;
  • liability for unlawful disclosure.

Civil remedies depend on evidence, damage, causation, and applicable law.

XXVIII. Criminal Issues

Some conduct by lending app operators or collectors may raise criminal issues depending on the facts.

Possible concerns include:

  • threats;
  • coercion;
  • unjust vexation;
  • libel or cyberlibel;
  • identity theft;
  • unauthorized access;
  • unlawful use of personal information;
  • falsification if fake legal documents are used;
  • usurpation of authority if collectors pretend to be police or court officers.

Nonpayment of a simple debt is generally not automatically a crime. However, fraudulent borrowing, use of false identity, or issuance of certain bad checks may raise separate legal issues. Lenders and collectors should not falsely threaten arrest for ordinary inability to pay.

XXIX. Can a Borrower Demand Deletion If the Loan Was Never Approved?

Yes, generally the borrower may request deletion or blocking of data if the loan was never approved and the data is no longer necessary.

However, the lender may retain limited records for fraud prevention, audit, compliance, or legal claims if justified. Excessive data, such as contact lists or unrelated device data, should not be retained without lawful basis.

XXX. Can a Borrower Demand Deletion After Full Payment?

Yes, the borrower may request deletion, blocking, or restriction after full payment.

The lender may retain some records for legal compliance, accounting, audit, dispute resolution, or legal claims. But it should not continue using the borrower’s data for unnecessary collection, harassment, marketing without consent, or third-party disclosure.

After full payment, the lender’s basis for aggressive collection processing disappears. Continuing to contact references or disclose debt after payment may be particularly problematic.

XXXI. Can a Borrower Demand Deletion While the Loan Is Still Unpaid?

Yes, but only as to data that is excessive, unlawfully collected, unnecessary, or used for unauthorized purposes.

The lender may keep data necessary to administer and collect the loan lawfully. But the lender should not keep or use data unrelated to collection or required legal purposes.

The borrower can demand:

  • deletion of contact-list data;
  • cessation of contact with unrelated third parties;
  • blocking of marketing use;
  • correction of inaccurate records;
  • restriction of unlawful disclosure;
  • confirmation of retained data and legal basis.

XXXII. Can the App Keep the Borrower’s ID?

It may keep a copy of the borrower’s ID if necessary for identity verification, loan records, regulatory compliance, fraud prevention, audit, or legal claims.

However, it must secure the ID, limit access, prevent misuse, and delete or anonymize it when no longer necessary.

If the loan was denied or the application abandoned, the borrower may have a stronger argument for deletion, unless retention is justified.

XXXIII. Can the App Keep Contact List Data?

Contact list data is much harder to justify. A lender may ask for specific references, but collecting an entire phonebook may be excessive.

Even if the app previously obtained access, the borrower may request deletion or blocking of uploaded contact data. Third-party contacts may also complain if their data was collected or used without lawful basis.

XXXIV. Can the App Contact the Borrower’s Employer?

A lender should be very careful in contacting an employer. If the employer was not listed as a reference or guarantor, disclosure of the borrower’s debt may violate privacy rights.

Even if employment verification is legitimate, the lender should limit disclosure to what is necessary. Telling an employer that the borrower is delinquent, dishonest, or subject to legal action may be unlawful if unnecessary, excessive, false, or harassing.

XXXV. Can the App Contact Family and Friends?

A lender may contact a person if that person was lawfully provided as a reference and the contact is limited, respectful, and consistent with disclosed purposes.

But contacting family, friends, co-workers, or random phonebook contacts to pressure or shame the borrower may violate privacy rights and collection rules.

The lender should not disclose debt details to third parties who are not borrowers, co-makers, guarantors, authorized representatives, or lawful references for a legitimate purpose.

XXXVI. Can the App Post the Borrower’s Photo or ID Online?

No legitimate debt collection purpose normally justifies posting a borrower’s photo, ID, private information, or debt accusation online.

Public posting may expose the lender or collector to privacy, civil, criminal, and regulatory liability.

XXXVII. Can the App Threaten Arrest?

Ordinary nonpayment of debt is generally not by itself a basis for immediate arrest. A lender may pursue lawful civil or legal remedies, but it should not use false threats of arrest, fake police reports, fake subpoenas, or fake court orders to intimidate borrowers.

If a collector impersonates law enforcement or sends fabricated legal documents, the borrower should preserve evidence and consider reporting the matter.

XXXVIII. Data Retention Policies

A responsible online lender should have a retention policy specifying:

  • categories of data retained;
  • purpose of retention;
  • retention periods;
  • deletion schedules;
  • legal basis;
  • security controls;
  • process for anonymization or destruction;
  • handling of closed accounts;
  • handling of denied applications;
  • handling of contact-list data;
  • handling of disputes and legal holds.

Retention should not be indefinite. “We keep your data forever” is generally inconsistent with proportionality and purpose limitation unless a specific legal basis exists for particular records.

XXXIX. Security Obligations of Lending Apps

Lending apps must protect personal data. Security measures may include:

  • access controls;
  • encryption;
  • secure authentication;
  • audit logs;
  • employee confidentiality;
  • vendor controls;
  • secure deletion;
  • incident response;
  • data breach notification procedures;
  • regular security review;
  • minimization of stored data;
  • safeguards for ID images and financial information.

If personal data is leaked, sold, accessed by unauthorized collectors, or exposed due to poor security, the lender may face liability.

XL. Data Sharing with Collection Agencies

Lenders often use third-party collection agencies. This does not remove the lender’s responsibility.

A lender should ensure that collection agencies:

  • process data only under instructions;
  • maintain confidentiality;
  • use data only for lawful collection;
  • do not harass borrowers;
  • do not disclose debt to unrelated third parties;
  • secure personal data;
  • delete or return data when no longer needed;
  • comply with privacy and collection laws.

A borrower may ask whether the lender shared data with a collection agency and may demand that unlawful processing stop.

XLI. Data Sharing with Credit Bureaus

Some lenders may report repayment history to credit information systems or credit bureaus, if allowed by law and disclosed to the borrower.

Borrowers should distinguish between:

  • lawful credit reporting;
  • unlawful public shaming;
  • unauthorized disclosure to personal contacts.

Credit reporting must follow applicable legal requirements and should not be used as harassment.

XLII. Cross-Border Data Transfers

Some online lending apps use foreign service providers, cloud servers, foreign parent companies, or offshore processors.

Cross-border transfer of personal data is not automatically prohibited, but the lender must ensure that data remains protected and that the transfer has a lawful basis and adequate safeguards.

A privacy notice should disclose whether personal data may be transferred abroad.

XLIII. Deleting the App Is Not the Same as Deleting Data

Uninstalling the app from a phone does not automatically delete personal data already collected by the lender.

A borrower should:

  1. Revoke app permissions.
  2. Delete or close the app account if possible.
  3. Send a formal data deletion request.
  4. Ask for confirmation.
  5. Preserve evidence before deleting local data.
  6. Follow up with regulators if ignored.

XLIV. Revoking App Permissions

Borrowers should review phone settings and revoke permissions for lending apps, especially:

  • contacts;
  • photos and videos;
  • SMS;
  • call logs;
  • location;
  • microphone;
  • storage.

However, revoking permissions only prevents future access from the device. It does not erase data already uploaded to the lender’s servers.

XLV. What to Do If Contacts Are Being Harassed

If an online lending app contacts the borrower’s phonebook or references abusively:

  1. Save all messages and call logs.
  2. Ask affected contacts to send screenshots.
  3. Record numbers, names, and timestamps.
  4. Do not delete the app or messages before preserving evidence.
  5. Send a written cease-and-desist and data rights request.
  6. File complaints with NPC and SEC.
  7. Report threats or impersonation to law enforcement if appropriate.
  8. Inform contacts that they may also assert privacy rights.

Contacts whose data was used may file their own privacy complaints.

XLVI. What to Do If Personal Data Is Posted Online

If the borrower’s photo, ID, debt information, or private details are posted online:

  1. Take screenshots showing URL, date, time, account name, and content.
  2. Save the link.
  3. Report the post to the platform.
  4. Send a takedown request if possible.
  5. File a complaint with the NPC.
  6. Consider reporting to law enforcement if threats, defamation, identity theft, or cyber-related offenses are involved.
  7. Preserve evidence before the content is deleted.

A takedown does not erase liability for the original posting.

XLVII. What to Do If the Lender Is Unregistered

Borrowers should check whether the lending or financing company is registered and authorized. If the company is unregistered or uses multiple app names, aliases, or fake corporate identities, the borrower should include this information in complaints.

Operating without proper authority may expose the operator to regulatory sanctions. It may also be a red flag for abusive or illegal practices.

XLVIII. Practical Data Deletion Checklist

A borrower who wants deletion should prepare:

  • full name used in the app;
  • registered mobile number;
  • registered email address;
  • loan account number;
  • proof of full payment, if applicable;
  • screenshots of the app account;
  • screenshots of permissions;
  • copy of privacy policy;
  • data deletion request letter;
  • proof of sending request;
  • lender’s response or non-response;
  • screenshots of any harassment;
  • statements from contacted third parties;
  • list of data requested for deletion;
  • request for retained-data explanation;
  • request to stop marketing and third-party disclosure.

XLIX. Suggested Structure of a Formal Data Rights Letter

A formal letter may contain:

  1. Identification of the borrower.
  2. Identification of the account.
  3. Statement that the letter is an exercise of data subject rights.
  4. Request for access to data categories processed.
  5. Request for deletion, blocking, or restriction of unnecessary data.
  6. Request for deletion of contact-list data.
  7. Request to stop unauthorized third-party disclosure.
  8. Request for correction of inaccurate data.
  9. Request for retention basis for data not deleted.
  10. Request for identity of recipients or processors.
  11. Request for confirmation of action taken.
  12. Warning that failure to act may result in complaint before regulators.

L. Sample Formal Data Rights Letter

Subject: Request for Deletion, Blocking, and Restriction of Personal Data

To the Data Protection Officer / Privacy Office:

I am writing to exercise my rights as a data subject under Philippine data privacy law.

My details are as follows:

  • Name: [Name]
  • Registered mobile number: [Number]
  • Registered email: [Email]
  • Loan account or reference number: [Number]

I request the deletion, erasure, blocking, or restriction of all personal data that is no longer necessary for the purpose for which it was collected, including but not limited to contact-list data, optional profile data, excessive device data, and data collected or used without valid consent.

I also request that you stop any unauthorized disclosure of my personal data to third parties, including persons who are not co-borrowers, guarantors, authorized representatives, or lawful references.

If you retain any personal data, please provide:

  1. The specific categories of data retained.
  2. The legal basis for retention.
  3. The purpose of retention.
  4. The retention period.
  5. The recipients or processors to whom the data was disclosed.
  6. The safeguards applied to protect the data.

Please confirm in writing the action taken on this request.

Sincerely, [Name]

LI. When a Lender May Lawfully Refuse Full Deletion

A lender may lawfully refuse full deletion if:

  • the loan remains unpaid;
  • records are needed for legal claims;
  • records are required for accounting or tax purposes;
  • records must be retained for regulatory compliance;
  • the data is needed to investigate fraud;
  • there is a pending dispute;
  • a legal hold applies;
  • deletion would violate another legal obligation.

But the refusal should not be vague. The lender should explain what data is retained and why.

A proper response would distinguish between:

  • data deleted;
  • data blocked;
  • data retained;
  • purpose and legal basis for retention;
  • retention period.

LII. Red Flags in Lending App Privacy Practices

Red flags include:

  • no company name;
  • no SEC registration information;
  • no privacy policy;
  • no data protection officer contact;
  • mandatory access to contacts;
  • mandatory access to SMS or files without explanation;
  • no account deletion option;
  • threats to contact all phone contacts;
  • public shaming tactics;
  • fake legal notices;
  • hidden fees;
  • extremely short repayment periods;
  • excessive interest or penalties;
  • multiple app names under unclear operators;
  • refusal to issue receipts;
  • refusal to acknowledge full payment;
  • continued collection after payment;
  • use of personal insults or threats.

These red flags should be documented.

LIII. Duties of Online Lending Companies

Online lending companies should:

  1. Register and operate lawfully.
  2. Provide clear loan terms.
  3. Provide a privacy notice.
  4. Collect only necessary data.
  5. Avoid excessive app permissions.
  6. Obtain valid consent where required.
  7. Use lawful bases for processing.
  8. Protect borrower data.
  9. Train employees and collectors.
  10. Supervise third-party collection agencies.
  11. Provide data subject request channels.
  12. Respond to deletion and access requests.
  13. Delete or block unnecessary data.
  14. Avoid disclosure to unrelated third parties.
  15. Avoid harassment, threats, and shaming.
  16. Maintain data retention and disposal policies.
  17. Cooperate with regulators.
  18. Maintain records of compliance.

LIV. Duties of Borrowers

Borrowers also have practical responsibilities:

  1. Read the privacy notice and loan terms.
  2. Avoid granting unnecessary permissions.
  3. Use only legitimate lending companies.
  4. Keep copies of loan documents.
  5. Pay valid obligations when due.
  6. Preserve proof of payment.
  7. Avoid submitting fake information.
  8. Communicate in writing where possible.
  9. Assert privacy rights properly.
  10. Report abusive practices with evidence.

Borrowers should not assume that privacy rights erase legitimate debts. Privacy rights regulate how data is handled; they do not automatically cancel financial obligations.

LV. Frequently Asked Questions

1. Can I demand deletion of my data from an online lending app?

Yes. You may request deletion, erasure, blocking, or restriction of personal data, especially data that is excessive, unlawfully collected, no longer necessary, or used for unauthorized purposes.

2. Can the app refuse deletion?

Yes, but only for data it has a lawful basis to retain, such as records needed for an unpaid loan, legal compliance, accounting, disputes, fraud prevention, or legal claims. It should explain the basis for retention.

3. Does paying the loan require the app to delete everything immediately?

Not necessarily. Some records may be retained for legal or regulatory reasons. But the app should stop unnecessary processing and delete or block data no longer needed.

4. Can the app keep my contacts?

The app should not keep contact-list data unless it has a lawful, necessary, and proportionate basis. Entire phonebook collection is often questionable, especially if used for collection harassment.

5. Can the app message my contacts?

Only in very limited lawful circumstances, such as contacting a reference for a legitimate purpose. Messaging unrelated contacts or disclosing your debt to them may violate privacy rights.

6. Can the app post my name or photo online because I owe money?

No. Public shaming is not a lawful debt collection method and may create privacy, civil, criminal, and regulatory liability.

7. Can I complain even if I still owe money?

Yes. An unpaid loan does not remove your privacy rights. The lender may collect lawfully, but it may not harass, shame, or misuse personal data.

8. Is deleting the app enough?

No. Uninstalling the app does not delete data already collected. You should revoke permissions and send a formal deletion request.

9. What agency handles privacy complaints?

The National Privacy Commission handles privacy complaints. The SEC may handle lending company and abusive collection issues. Law enforcement may handle threats, impersonation, or criminal conduct.

10. Can my contacts file complaints too?

Yes. If their personal data was collected or used without lawful basis, they may be data subjects with their own rights.

LVI. Practical Action Plan for Borrowers

A borrower concerned about data deletion and privacy should:

  1. Screenshot the app permissions and privacy policy.
  2. Save loan records and proof of payment.
  3. Revoke unnecessary app permissions.
  4. Send a formal data deletion or blocking request.
  5. Ask for retained-data categories and legal basis.
  6. Demand deletion of contact-list data.
  7. Demand cessation of third-party disclosure.
  8. Preserve harassing messages and call logs.
  9. Ask contacted persons for screenshots.
  10. File a complaint with the NPC for privacy violations.
  11. File a complaint with the SEC for abusive lending or collection practices.
  12. Report threats, fake legal documents, impersonation, or public shaming to appropriate authorities.

LVII. Conclusion

Online lending apps may lawfully collect and process borrower data for legitimate lending purposes, but they must comply with Philippine privacy law. They must be transparent, collect only necessary data, use data for legitimate purposes, protect it securely, and respect data subject rights.

Borrowers have the right to be informed, access their data, object to unlawful processing, correct inaccurate information, request deletion or blocking, and complain to regulators. The right to deletion is important but not absolute. A lender may retain certain records for unpaid loans, legal compliance, accounting, disputes, fraud prevention, or legal claims. However, it should not retain or use excessive data, contact-list data, or personal information for harassment, shaming, or unauthorized disclosure.

The central rule is proportionality. A debt may be collected, but personal data cannot be weaponized. A borrower’s obligation to repay does not give an online lending app the right to invade privacy, shame the borrower, harass contacts, or keep data forever without lawful basis.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login